EU governments
to give law enforcement agencies access to all communications
dataThe new
initiative by the EU governments to back the demands of their
law enforcement agencies (LEAs) only came to light when Statewatch
"acquired" a series of EU documents which it had been
refused access to. The documents in question were refused on
the grounds that:

"the matter was still under discussion..[and] disclosure
of these document could impede the efficiency of the ongoing
deliberations."

The demands of the law enforcement agencies centre on the
issue of "data retention", that is the recording and
storage of all telecommunications data:

- every phone call, every mobile phone call, every fax, every
e-mail, every website's contents, all internet usage, from anywhere,
by everyone, to be recorded, archived and be accessible for at
least seven years

The move by the EU governments (the Council of the European Union)
has been sparked by a draft proposal put forward by the European
Commission on "the processing of personal data and the protection
of privacy in the electronic communications sector" (COM(2000)385
final, 12.7.00). The proposal would update Directive 97/55/EC
but is not "intended to create major changes to the substance
of the existing Directive", merely to "update the existing
provisions". The proposal thus builds on the principles
of the 1997 law and data protection rules established in EU community
law.

Also under discussion is a related Communication from the Commission
on "Creating a Safer Information Society by improving the
security of information infrastructures and combating computer-related
crime" (COM(2000)890 final) (see Statewatch, vol 11 no 1).
Here the Commission, in line with community law, emphasises that:
"interceptions are illegal unless they are authorised by
law when necessary in specific cases for limited purposes".

The EU-FBI
surveillance plan comes home
The EU adopted the "Requirements" developed by the
FBI on 17 January 1995 - the "Requirements" set out
demands on network and service providers to provide the law enforcement
agencies with both data from intercepted communications and real-time
access to transmissions (see Statewatch, vol 7 no 1 & 4 and
5; vol 8 no 5 & 6; vol 9 no 6; vol 11 no 1).

In September 1998 the EU's Police Cooperation Working Party proposed
that the "Requirements" be extended to cope with internet
and satellite phone telecommunications. The initial report (ENFOPOL
98) went through several drafts and ended up as ENFOPOL 19 (15
March 1999) which gathered dust. It transpired that because of
the "negative press" surrounding ENFOPOL 98, which
coincided with exposures on the ECHELON spying system, there
was a lack of "political support" to move forward on
the issue (report on the Police Cooperation Working Party meeting
on 13-14 October 1999 by the European Commission).

In the spring of 2000 the EU's Police Cooperation Working Party
decided that issues previously discussed under the title of "interception
of telecommunications" would now be called "advanced
technologies". A report by the same working party (ENFOPOL
52, 12 July 2000) spelt out that "an informal inter-pillar
link" should be created between their work and that being
carried out under the "first pillar" on the "global
Information Society". The purpose was to bring to the attention
of the Telecommunications Council and the Internal Market Council,
working on technical and commercial decisions, the need to: "safeguard
the possibility of lawful interception".

On 29 May 2000 the Convention on Mutual Assistance in criminal
matters was agreed by the EU Justice and Home Affairs Council
and is now out for ratification by each of the 15 EU national
parliaments. This includes provisions for the interception and
exchange of telecommunications data based on specific requests
but makes no provision for the retention of data (except in individual,
authorised, instances).

This Convention and the work of intergovernmental groups, like
ILETS (International Law Enforcement Telecommunications Seminar)
and the G8 Sub group on High-Tec Crime, and the adopted 1995
"Requirements" provide the basis for provisions in
new national laws on the interception of telecommunications across
the EU - for example the UK's Regulation of Investigatory Powers
Act (R.I.P. Act) which came into force on 28 July 2000.

All of these new legal powers and demands on the network and
services providers under the "Requirements" do not,
however, give the law enforcement agencies everything they need
as they only cover the exchange and interception of data on the
production of an "interception order" (eg: warrants
under national laws). None of them provide for the wholesale
retention of data and access to it by law enforcement agencies
except in specific authorised cases.

EU Data Protection
officials come out against data retention
Data Protection Commissioners in the EU and their officials,
who attend a multitude of working parties, have long been aware
that the "law enforcement agencies" in quasi-secret
international fora have been arguing not for data to be retained
for 30 days or 90 days (as it is currently for billing purposes)
but for much longer - for up to seven years at least. In her
annual report for 2000 the UK Data Protection Commissioner, Elizabeth
France, said: "The routine long-term preservation of data
by ISPs [internet service providers] for law enforcement purposes
would be disproportionate general surveillance of communications".

The spring Conference
of European Data Protection Commissioners in Stockholm, 6-7 April
2000, issued a declaration on the "Retention of Traffic
Data by Internet Service Providers" saying:

"such retention would be an improper invasion of the
fundamental rights guaranteed to individuals by Article 8 of
the European Convention on Human Rights. Where traffic data are
to be retained in specific cases, there must be a demonstrable
need, the period of retention must be as short as possible and
the practice must be clearly regulated by law."

The meeting of the International Working Group on Data Protection
in Telecommunications in Berlin on 13-14 September 2000 adopted
a common position on the Council of Europe draft Convention on
"cyber-crime" (see Statewatch vol 10 no 6). This said
that the storing of "data on all telecommunications and
Internet traffic for extended periods" is:

"disproportionate and therefore unacceptable. The Working
Party underlines that traffic data are protected by the principle
of confidentiality to the same extent as content data (Article
8 of the European Convention on Human Rights)."

The European Commission lent weight to the Data Protection officials'
arguments in its draft proposal, put out at the end of last year
(and agreed on 26.1.01), on "Creating a Safer Information
Society by improving the security of information infrastructures
and combating computer-related crime". This says that laws
in EU member states have to be in line with community law on
data protection and privacy:

"safeguards for the protection of the individual's fundamental
rights of privacy, such as limiting the use of interception to
investigations of serious crime, requiring that interception
in individual investigations should be necessary and proportionate,
or ensuring that the individual is informed about the interception
as soon as it will no longer hamper the investigation" (p16)

On 22 March 2001 EU Data Protection Working Party also published
a strong opinion on the Council of Europe's Draft Convention
on cyber-crime. It said that the provision in the draft proposal
which does "not oblige signatories to compel providers to
retain traffic data of all communications should in no way be
revised". The EU has already indicated that it will adopt
this Convention.

The Data Protection Commissioners and others in the field have,
together, made formidable arguments for maintaining rights and
protections put into place in the EU during the 1990s on data
protection and privacy.

Law enforcement
agencies fight back
In the face this substantial opposition to the automatic retention
and storage of content and traffic data for long periods (for
longer than allowed under EU law, around 30 days) the law enforcement
agencies needed heavy-weight "political support", denied
earlier, from the governments of the EU (the Council).

A far-reaching report sent by the UK National Criminal Intelligence
Service (NCIS) to the Home Office on 21 August 2000 set out the
demands of the agencies which reflect the conclusions of discussions
in international fora in which the UK plays a prominent role,
such as in G8 (see Statewatch, vol 10 no 6). The report called
for the retention of all content and traffic data from all forms
of telecommunications (phone-calls, mobile phone-calls, faxes,
websites and internet usage) to be recorded and kept for at least
seven years. What was of particular note is that this report
was presented on behalf of all the UK law enforcement agencies
and all the UK's security and intelligence agencies (MI5, MI6
and GCHQ). This suggests that while the primary demand is coming
from the former the latter have a major stake too. This report
was not in the public domain until December 2000.
Confirmation of a counter-attack by the law enforcement agencies
emerging in the EU came in July 2000. As noted earlier, ENFOPOL
52 (12.7.00) from the Working Party on Police Cooperation had
called for "an informal inter-pillar link" to be created
between their work and that being carried out under the "first
pillar" on the "global Information Society". This
was the very same day, 12 July 2000, that the Commission put
out its proposal on personal data and the protection of privacy
(COM(2000)385).

The minutes of the Council's Working Party on Police Cooperation
for the meeting on 19/20 July note a lengthy "exchange of
views" with the French Presidency on the "relations
between the first and third pillars in the field of advanced
technologies". It also noted the Commission's proposal and
"decided to come back to this item regularly during the
next six months".

It was a report from the working party to the Article 36 Committee
(senior interior ministry officials from the 15 EU member states)
dated 31 October 2000 which began to express the need for urgent
action. This report (ENFOPOL 71) said six countries - Belgium,
Germany, France, Netherlands, Spain and the UK - had "grave
misgivings" about the effect of Article 6 which effectively
states that traffic data "must be erased or made anonymous
upon completion of the transmission" (emphasis in original).
The provision would "render it impossible to trace "historical"
data and seriously reduce the investigation services' chances
of identifying perpetrators.." The report then tries to
justify its demands by reference to: i) the 17 January 1995 "Requirements"
which it does not cover the retention of data indefinitely; ii)
the Council of Europe draft Convention on cyber crime which in
the latest version excludes general data retention and iii) the
Convention on Mutual Assistance in criminal matters where data
retention is "implied".

The report concludes by noting that the Commission's proposed
measure "is already well advanced" and the Working
Party urges the Article 36 Committee to:

"examine these observations so that it may use every
available channel to bring this problem to the attention of the
authors of the draft Directive concerned."

The minutes of the Article 36 Committee on 6 November 2000
state that the government delegations be asked to contact their
colleagues working on "first pillar" working parties
to coordinate:

"the
first and third pillar work in the field of advanced technologies,
notably the telecommunications sector. It should be avoided that
first pillar data protection measures hinder unduly third pillar
attempts to monitor telecommunications connections."

The Working Party
on Police Cooperation updated its report in ENFOPOL 71 REV 1
(27.11.00) (see Statewatch, vol 11 no 1). This report states
the demands of the law enforcement agencies starkly. While noting
that their demands:

"would probably not be considered proportionate, as it
would call into question the very aim of the draft Directive"

namely the protection of personal data and privacy, but it still
goes on to argue that:

"It is impossible for investigation services to know
in advance which traffic data will prove useful in a criminal
investigation. The only effective national legislative measure
would therefore be to prohibit the erasure or anonymity of traffic
data."

This report urged the Article 36 Committee to "take into
account the serious consequences the Directive would have for
criminal investigations, public security and justice."

At a meeting on 14 December the Article 36 Committee some delegations
(representing their governments) "advocated harmonising
the period for storing data." The Committee decided to wait
and see "how much account" the Commission took of delegations'
(government) comments before deciding "whether to alert
COREPER and the Council to the issue."

At the Justice and Home Affairs Council on 15 March this year,
Commissioner Vittorino reported that at a hearing which took
place on 7 March "the central question of the retention
of traffic data dominated discussions".

However, it is clear that the Commission was not taking "much
account" of the Council's view so that by 30 March the Swedish
Presidency felt obliged to draw up draft Council Conclusions
on the issue of data retention. The report recommending draft
Conclusions on access by the law enforcement agencies to traffic
data was discussed at the meeting of the Working Party on Police
Cooperation on 6 April. The minutes of this meeting say that
it:

"took note of the reservation by the representative of the
Commission concerning the procedure followed within the Council"

Clearly the Commission was concerned that the Council was, unusually,
considering adopting "Conclusions" which would fundamentally
undermine its proposed Directive. The two new reports, dated
30 March (see below) were discussed at the Article 36 Committee
meetings on 10 April and 3 May.

The key reports
The first new crucial report is ENFOPOL 29 (30.3.01) which reintroduces
the highly criticised new definition of the "Requirements"
to be laid on network and service providers in "ENFOPOL
98". It is intended that this report and an accompanying
Council Resolution will go through the Justice and Home Affairs
Council on 28-29 May.
The report looks at the "operational needs" of the
LEAs as applied to the "Requirements" (IURs) adopted
on 17 January 1995 (by the EU under "written procedure"
and not made public until November 1996). It gives much more
detail on their expectations than the bland "Requirements".
As such it is an attempt to re-introduce the highly-controversial
ENFOPOL 98 (and later drafts) which led to much adverse comment
in the media (as a result of which it has been held up since
March 1999).

The report looks at: "Applicable services" and makes
clear that interception will cover all forms of telecommunications
eg: ISDN (e-mail and internet usage), mobile phones and satellite
phones. On IUR ("International User Requirement") no.1
it says, like ENFOPOL 98, that the law enforcement agencies expect
to have access not just to the call content but also to:

plus IP addresses, account numbers, logon ID/passwords, PIN numbers
and e-mail addresses. They also want access to the "transmitted"
and "received" data and "any telecommunications
associated with.. the subject of interception". A redefined
"IUR 1.4" states that "associated data" includes
"conference calls, call forwarding, mobile calls, network
calls, call back services etc" must also be provided on
the intercepted subject. An ominous "NB" says it also
includes data "where it has been retained by providers in
accordance with the requirements of their national legislation".
"IUR 1.5" extends the meaning of "geographical
location" to "geographical, physical or logical"
location and "IUR 1.3" again refers to "national
jurisdictions" in the context of excluding data which is
not "within the scope of the interception authorisation",
ie: some national laws might allow the inclusion of "excluded"
data. "IUR 6" is another direct inclusion of a controversial
proposal taken from ENFOPOL 98. It says that the LEAs are to
be provided with:

a. full name of the person (company)
b. the residential address and
c. credit card details

This report extends the remit for interception to: all forms
of telecommunications (including e-mails and internet usage)
and requires personal details on the interception subject. It
also contains a number of references to "national jurisdictions"
where, by implication, powers may be greater than the norm.

Some EU governments see ENFOPOL 29 ("ENFOPOL 98") as
simply "technical" changes to the "Requirements".
However, they fail to understand that it is precisely the details
of how the "Requirements" will be used that signals
the enormity of the threat to data protection, individual privacy
and fundamental freedoms.

A greater, and complementary, danger is the battle between the
Data Protection officials and the law enforcement agencies over
the retention of data (content and traffic details) for long
periods (seven years or more) and the right of the law enforcement
agencies to access this archived data at will for purposes of
investigating any crime however minor or for the purpose of intelligence-gathering
- so-called "fishing expeditions".

This is the enormous significance of the "Council Conclusions"
in ENFOPOL 23 (30.3.01). The EU governments are, in effect, to
tell the European Commission (and European Parliament) that the
demands of the law enforcement agencies take precedence over
the privacy and freedoms of people. Council officials will "spin"
the usual line that "Conclusions" are not binding,
but the timing of the decision and the enormity of its effect
will brush this aside.

The draft proposal says that:

1. The obligation for operators to erase and make traffic data
anonymous "seriously obstructs" criminal investigations;

2. It is the "utmost importance" that "access"
be "guaranteed" for criminal investigations;

3. It calls on the European Commission to:

a) to take "immediate action" to ensure that law enforcement
agencies can have access now and "in the future" in
order to "investigate crimes where electronic communications
systems are or have been used" (emphasis added);

b) the "action" should be "a review of the provisions
that oblige operators to erase traffic data or to make them anonymous".

The "Conclusions" say that the Council:

1. "considers it important that the law enforcement authorities
be not obstructed or hampered in their efforts to investigate
crime, such as dissemination of child pornography or agitation
against an ethnic group via the Internet"

This blatantly cynical use of "child pornography" and
racism has become a standard justification for the extension
of EU surveillance powers not just for these offences - but for
all and any offence. These phrases have replaced "organised
crime" and "illegal immigration", used for many
years in a similar way.

2. "understands that on this issue.. it is important
to find a solution that is well founded, proportionate and well-balanced"

It is not possible to "balance" the different interests.
There is no need under EU law for commerce to keep data except
for very limited periods (eg: 30 days to check billing). The
existing "Requirements" and most national laws allow
for the gathering of data for criminal investigation in specific
instances subject to proper authorisation and legal safeguards.

3. "emphasises the opinion of the Council that the obligation
for operators to erase and make traffic data anonymous, besides
obstructing seriously crime investigations, also can lead to
a decreasing confidence in, particularly, the electronic commerce..."

The EU governments fail to understand that is precisely the erasure
of data and anonymity which creates "confidence in electronic
commerce" by citizens. A wholesale reversal of this policy
as envisaged would indeed create a "crisis of confidence".

4. "invites.. the European Commission to take immediate
action with the purpose of ensuring that the law enforcement
authorities also in the future will have the opportunity to investigate
crimes where electronic communications systems are or have been
used.. the action to be taken should comprise a review of the
provisions that oblige operators to erase traffic data or to
make them anonymous; the object of the action should be to ensure
that the purpose of limitations regarding the personal data do
not come into conflict with the law enforcement authorities'
needs of data for crime investigation purposes."

In effect the Council is telling the European Commission (and
the European Parliament) that the proposed Directive on the table
has to be changed and that all existing EU data protection and
privacy laws have to be reviewed. It is calling for an end to
the obligation, under current EU law, of commerce to erase data
and to end anonymity and to ensure that law enforcement agencies
have the "opportunity" to access all data held.

The next
legislative steps
The urgency on the part of the law enforcement agencies is due
to the fact that the first proposal they want changed is the
Commission's proposed Directive on personal data and privacy
in electronic communications is already before European Parliament
committees under the co-decision procedure - Citizens' Freedoms
and Rights (lead committee), Environment, Industry and Legal
Affairs. These committees are due to put a report to the parliament's
plenary session on 3 September. However, the Council is likely
to adopt a common position at the Telecommunications Council
on 27 June. Co-decision means all three institutions (Commission,
Council and European Parliament) have to agree on the new measure.
The Council is trying to pre-empt the parliament's opinion by
putting forward radical changes on the retention of content and
traffic data.

&COPY; Statewatch ISSN 1756-851X.Material may
be used providing the source is acknowledged.Statewatch
does not have a corporate view, nor does it seek to create one,
the views expressed are those of the author. Statewatch is not
responsible for the content of external websites and inclusion
of a link does not constitute an endorsement.